Memory Acquisition by Using Network Card
DOI:
https://doi.org/10.13052/jcsm2245-1439.314Keywords:
Live Forensics, Memory Acquisition, DMA, Forensic analysis, network card, direct memory access, rootkit detectionAbstract
To detect present rootkit the rootkit and malware detectors need to have memory access. But, sophisticated rootkits are able to subvert the verification process of security scanner using virtual memory subversion techniques to hide their activity. We have proposed a new solution for direct memory access, based on a custom NDIS protocol driver that can send (on request of the local executable program) the contents of the computer memory over the network. Our method allows an unexpected type of the direct memory access, which is independent of the processor, and its control capabilities. This is a strong advantage in rootkit detection, because the rootkit cannot take any action to hide itself while the memory is scanned.
Downloads
References
Chris Riesh. Inside Windows Rootkits, 2006, online: www.thehackademy.net/madchat/vxdevl/library/Inside Windows Rootkits.pdf
Sparks, Sherriand Butler, Jamie. Raising The Bar For Windows Rootkit Detection, PhrackMagazine Volume 0x0b, Issue 0x3d, 2005.
Michael Davis. Hacking Exposed Malware & Rootkits, McGraw-Hill, United States, Copyright, 2009 , ISBN 0071591192 / 9780071591195.
Jesse D. Kornblum , Exploiting the Rootkit Paradox with Windows Memory Analysis, International Journal of Digital Evidence Fall 2006, Volume 5, Issue 1, online: www.ijde.org .
Rutkowska, Joanna. Detecting Windows Server Compromises with Patchfinder 2. January, 2004 online www.invisiblethings.org/papers/rootkits_detection_with_ pat-chfinder2.pdf
Szor, P. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, 2005, ISBN 0321304543.
Carvey, H.. 2009. Windows Forensic Analysis DVD Toolkit. 2. Edition. Syngress. June 11, 2009. ISBN-13: 978-1597494229, ASIN: 1597494224.
Boileau, A.. 2006. “Hit By A Bus: Physical Access Attacks with Firewire” Security - As-sessment.com, Ruxcon, 2006. [cit. 2011–05–25]. Online: http://www.storm.net.nz/static/files/ab_firewire_ rux2k6-final.pdf.
Carrier, B., Grand J.: A Hardware - Based Memory Acquisition Procedure for Digital In-vestigations. In Digital Investigation Journal. February 2004.
N. L. Petroni, Jr., T. Fraser, J. Molina, and W. A. Arbaugh, “Copilot- a coprocessor-based kernel runtime integrity monitor,” in SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, 2004, pp. 13–13.
A. Baliga, V. Ganapathy, and L. Iftode, “Automatic inference and enforcement of kernel data structure invariants,” in ACSAC '08: Proceedings of the 2008 Annual Computer Security Applications Conference. Washington, DC, USA: IEEE Computer Society, 2008, pp. 77-86.
DUFLOT, Loïc, Yves-Alexis PEREZ, Guillaume VALADON a Olivier LEVILLAIN. Can you still trust your network card?. In: Agence nationale de la sécurité des systèmes d'information, 2010 [cit. 2012–05–16]. Online: http://www.ssi.gouv.fr/IMG/pdf/csw-trustnetworkcard.pdf
DELUGRÉ, Guillaume. Closer to metal: Reverse engineering the Broadcom NetExtreme's firmware. In: Sogeti ESEC Lab [online]. 2010 [cit. 2012–05–16]. Dostupné z: http://esec-lab.sogeti. com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf
J. Wang, F. Zhang, K. Sun, A.Stavrou. Firmware-assisted Memory Acquisition and Analysis tools for Digital Forensics, (SADFE), 2011 IEEE Sixth International Workshop, 2011
PCA USA. NDIS developer's reference, 2012 [cit. 2012–05–16]. Online: http://ndis.com
ManTech Memory DD (MDD) released under GPL by Mantech International http://sourceforge.net/projects/mdd/